settings: zms: use the safe function strnlen instead of strlen

rghaddab · rghaddab · commit 1acd63a13273 · 2025-03-20T11:00:11.000+01:00
if the provided name in argument is not null this could lead to un
undefined behavior.
Use strnlen to make this safe

Signed-off-by: Riadh Ghaddab &lt;rghaddab@baylibre.com&gt;
diff --git a/subsys/settings/include/settings/settings_zms.h b/subsys/settings/include/settings/settings_zms.h
@@ -54,6 +54,8 @@ extern "C" {
  * if a settings element is deleted it won't be found.
  */
 
+#define SETTINGS_FULL_NAME_LEN SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1
+
 #define ZMS_LL_HEAD_HASH_ID 0x80000000
 #define ZMS_DATA_ID_OFFSET  0x40000000
 #define ZMS_HASH_MASK       GENMASK(29, CONFIG_SETTINGS_ZMS_MAX_COLLISIONS_BITS + 1)
diff --git a/subsys/settings/src/settings_zms.c b/subsys/settings/src/settings_zms.c
@@ -206,7 +206,7 @@ static int settings_zms_load_one(struct settings_store *cs, const char *name, ch
 				 size_t buf_len)
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
-	char r_name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char r_name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc = 0;
 	uint32_t name_hash;
 
@@ -215,7 +215,7 @@ static int settings_zms_load_one(struct settings_store *cs, const char *name, ch
 		return -EINVAL;
 	}
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, strnlen(name, SETTINGS_FULL_NAME_LEN)) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
@@ -247,15 +247,17 @@ static int settings_zms_load(struct settings_store *cs, const struct settings_lo
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_zms_read_fn_arg read_fn_arg;
 	struct settings_hash_linked_list settings_element;
-	char name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc1;
 	ssize_t rc2;
 	uint32_t ll_hash_id;
 	uint32_t name_hash;
 
 	/* If arg->subtree is not null we must load settings in that subtree */
 	if (arg->subtree != NULL) {
-		name_hash = sys_hash32(arg->subtree, strlen(arg->subtree)) & ZMS_HASH_MASK;
+		name_hash =
+			sys_hash32(arg->subtree, strnlen(arg->subtree, SETTINGS_FULL_NAME_LEN)) &
+			ZMS_HASH_MASK;
 		for (int i = 0; i <= cf->hash_collision_num; i++) {
 			name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 			/* Get the name entry from ZMS */
@@ -418,7 +420,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 	/* Find out if we are doing a delete */
 	delete = ((value == NULL) || (val_len == 0));
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, strnlen(name, SETTINGS_FULL_NAME_LEN)) & ZMS_HASH_MASK;
 	/* MSB is always 1 */
 	name_hash |= BIT(31);
 
@@ -571,7 +573,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 no_ll_update:
 #endif /* CONFIG_SETTINGS_ZMS_NO_LL_DELETE */
 		/* Now let's write the name */
-		rc = zms_write(&cf->cf_zms, name_hash, name, strlen(name));
+		rc = zms_write(&cf->cf_zms, name_hash, name, strnlen(name, SETTINGS_FULL_NAME_LEN));
 		if (rc < 0) {
 			return rc;
 		}
